CVE-2026-46446

7.1HIGH

Key Information:

Vendor: Alinto
Status: Sogo
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-46446?

SOGo before 5.12.7, when PostgreSQL or MariaDB is used, and cleartext passwords are stored, allows SQL injection. This is related to c_password = '%@' in changePasswordForLogin.

Affected Version(s)

SOGo 0 < 5.12.7

References

https://www.sogo.nu/news/2026/sogo-v5127-released.html

https://github.com/Alinto/sogo/pull/379/changes/1f7e5d2b2...

https://www.mail-archive.com/debian-bugs-dist%40lists.deb...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 14, 2026

CVE-2026-46446 Data

JSON